3 users thanked author for this post.

Kirsty, I wondered why I couldn’t access the original page . . . I kept getting 504 Timeouts last week. I had wanted to read any comments that might have pertained to January’s updates prior to installing them.

Is it possible to select and copy the comments on January’s updates (if any) from that page and then paste them here in order to make sure nothing fell through the cracks? That is, none of us in Group B missed reading something really important or helpful?

2 users thanked author for this post.

@suew there have been 504s on pages with barely any posts in recent days/weeks, so that may not have been the only issue. While the topic is now closed for new postings, it can still be read (if you can get past the 504s).

If the problem persists, we might have to split the closed topic in two, but I might keep an eye on that, balanced with the other problems 😉

If this ‘forum’ software had a way to limit the posts-per-page (other than turning off the ‘nested’ display method), then it wouldn’t take so looooog and be so sloooow to load up a page of many posts.

Topics on the main home page seem to be limited to a certain number (8 or 10?). If the number of posts/replies on a sub-topic page were limited to 30-40, then topics with lots of posts would not take so long to load (ludicrous speed or not).

Yes, I know that. My main point was…why is not there a ‘feature’ of this software to limit a ‘page’ of posts to some finite number, preferably user selectable…as there is on number of other forums I frequent, ranging from bicycling to R/C quad copters.

And BTW…I assume the “Notify me of follow-up replies via email” still isn’t working? I’ve checked that option on at least 2 recent topics, and never received any emails (and, no they haven’t been going into a spam folder).

I’m a Group B Windows 7 user . In late March, I was waiting patiently until MS-Defcon 3 arrived to install the March updates, and took the advice of Patch Lady’s post of 31st March to install KB4100480, the “Total Meltdown” patch.

I’m now ready to install the March update, but have I done this out of sequence, i.e. by installing the March updates now will I be undoing the remedial work of KB4100480?

Also, weirdly, Windows Update no longer offers me the March update. Obviously I’ll be downloading the March update manually, and I’m not sure if this is relevant, but I thought I’d mention it just in case.

1 user thanked author for this post.

As a Group B’er, you want “Security Only” updates, which Windows Update doesn’t give you. It gives you “Security Monthly Quality Rollups”, which you do not want, nor any previews. Use this the list, which PKCano updates monthly to get the Catalog download links for both “Security Only” and IE cumulative.

The January 2017 update KB3212642 will not show up as installed after the March 2017 update is installed, because KB3212642 was superseded by the March 2017 update. This supersedence is not documented by Microsoft.

There was no February 2017 update.

The Security Only updates should be installed sequentially and in the order of their release dates, except for two notable exceptions which are described below.

1. Install the June 2017 update first, before installing the May 2017 and April 2017 updates (in this order), in order to prevent Windows Update from subsequently being blocked on some older CPUs. This was Microsoft’s way of saying “thanks” to users who installed Windows 7 on newer generation hardware such as on computers with AMD Ryzen CPUs, yet at the same time Microsoft inadvertently killed Windows Update for some older CPUs such as Haswell Core I5 CPUs and other CPUs.

2. Install the September 2017 update before installing the August 2017 update since the September 2017 update includes newer updates for kernel mode drivers and the Windows kernel. The kernal mode drivers in the August 2017 update have issues. This is why you should install the September 2017 update before installing the August 2017 update.

The October 2017 update may cause Jet DB issues with much older applications. A fix is available at:

The November 2017 update may break printing for some Epson dot matrix and POS printers. Update KB4055038 is available to fix this issue.

NOTES ABOUT THE 2018 UPDATES…

The 2018 updates for Meltdown and Spectre COMPLETELY FAIL to protect against the BranchScope security vulnerability which was publicly disclosed in late March 2018. BranchScope is a new variant of the Spectre (CPU speculative execution) class of vulnerabilities which were publicly disclosed in January 2018. BranchScope theoretically can be mitigated, yet doing so is far from easy.

The QualityCompat regkey must be set before installing any 2018 updates. This regkey should be set ONLY IF ALL INSTALLED ANTIVIRUS SOFTWARE has been updated to be compatible with all 2018 updates, regardless of whether or not the antivirus software automatically runs when booting Windows or later is manually run, because most antivirus software installs low level I/O drivers which are loaded when Windows starts, regardless of whether or not the antivirus software itself actually runs when Windows starts.

The upshot of the above paragraph is: Make sure that ALL installed antivirus programs have been updated to be compatible with the QualityCompat regkey BEFORE you install any of the 2018 updates.

The 2018-03-29 KB4100480 Windows kernel update must be installed immediately after installing any of the 2018 updates in order to address a kernel escalation of privilege vunerability. This update may be installed after installing the 2018 updates and rebooting.

The January through March 2018 updates are inherently flawed by Microsoft. These flawed Meltdown updates expose ALL kernel and program memory to ANY program. This new expoit is called Total Meltdown. Microsoft themselves created this Total Meltdown flaw. NO MALWARE TECHNIQUES WHATSOEVER ARE REQUIRED IN ORDER TO EXPLOIT THIS FLAW.

The March and April 2018 security only updates KB4088878 and KB4093108 still have issues (SMB server memory leaks and stop errors). KB4100480 Windows kernel update for Total Meltdown must be installed immediately after installing the March update. KB4099467 must be installed immediately after installing the March update to resolve stop error (ab) when exiting a Windows session.

The April 2018 security only update will be presented and will install REGARDLESS OF WHETHER OR NOT the QualityCompat regkey is present and set within your Windows 7 computer’s registry. Why? Because Microsoft is trying to cover their collective rear ends in order to resolve the Total Meltdown vulnerability which Microsoft themselves created. The upshot is that, after installing this update and if your antivirus software is not compatible with the QualityCompat regkey, then your computer may BSOD on reboot. Microsoft kindly leaves it up to you in order to figure out how to resolve this issue.

2 users thanked author for this post.

Is it correct that KB4100480, KB4099467 and KB4099950 are now included in the April KB4093108 update?

That is a good question. The article for KB4093108 states that KB4093108 supersedes KB4100480, yet makes no mention about KB4099467 and KB4099950. Additionally, the Microsoft Update Catalog Package Details for KB4093108 do not list KB4093108 as superseding ANY updates whatsoever. Now, isn’t this a riot of fun to try to figure out?

Yet at the end of the day, KB4099467 and KB4099950 still appear to remain stand-alone updates which are not part of KB4093108.

Nothing verified, yet this is all that I have to say at the present time.

1 user thanked author for this post.

What will Group B folks be missing by never doing 4088878 on Windows 7 x64 machines that are up to date from February? Are there stable updates from within 4088878 that can be done separately from the catalog?

I’m wondering if March updates will eventually have to be installed or if “just” April 4093108 will be the way to go due to it containing fixes for things like 4100480 & possibly 4099467.

Having only installed March MSRT last DEFCON 3, it’s a bit worrisome that the others might still need doing, so I’m hoping some can be avoided. Perhaps I’m fooling myself. Please advise, thanks.

1 user thanked author for this post.

Group B folks who do not install March update KB4088878 will be missing all the fixes contained in the patch. Security-only patches are NOT cumulative. If you do not install one, you never get the fixes contained in it.
April security-only update KB4093108 takes the place of KB4100480 and KB4099467. But it does not contain the fix for NIC/IP address problems. You will need to download KB4099950 and install it manually BEFORE you install the March and April Security Only UPdates. (And, yes, you need both).

As Group B you will also need to download and manually install the IE11 Cumulative Update every month.

My suggestion is you manually install KB4099950, reboot, check to see if C:\Windows\LOGS\PCIClearStaleCache.txt file is present. If it is….
Install 4088878 KB4093108 KB4092946 (in that order, not necessary to reboot in between), reboot.
Wait for DEFCON 3 or above to follow Woody’s patching.

2 users thanked author for this post.

Group B. I haven’t updated since December so nothing from January through April. Above it says to install KB4099950 prior to the March KB4088878 update. But this article, https://www.askwoody.com/2018/patch-lady-kb4099950-gets-a-revision/, says KB4099950 does not apply to Group B patchers. Come time, do I install KB4099950 reboot and check for PCIClearStaleCache and then proceed or KB4099950 is not needed?

For the January KB4073578 or KB4056897, February KB4074587 and March updates KB4088878. Is it advisable to hold off on those for a bit longer since they don’t contain any critical patches and seemed to cause many issues or it is not recommended to continue waiting on them?

Thank you very much for sharing your knowledge.

1 user thanked author for this post.

Look for the answer to your questions to be finalized when Woody raises the DEFCON level to 3 or above. At the time, he will publish his recommendations in a blog post ans a ComputerWorld article.
All the information is not in yet.

1 user thanked author for this post.

I am in Group B with both a 32 bit Windows 7 desktop and a 64 bit Windows 8.1 laptop. Currently I haven’t patched anything since January. I skipped February and later since I absolutely rely on 2 factor authentication and read that February’s patches screwed that up and that March’s did not fix that. I know most people do use that so it might not be reported on much and maybe it got lost or forgotten about in the large amount of traffic here now. Does anyone know if it is safe for me to patch (security only) so that I will still be able to use my 2 factor authentication?

The SmartCard problem has been fixed, if that’s what you are referring to.
There have been other problems with this year’s updates. You might want to read over Woody’s DEFCON blogs and those topics where he summarizes the problems. Be sure to include the linked ComputerWorld Articles. There have been a number of hotfixes as well.

There is a problem with the May patches uninstalling NICs in Win7 that has not been fixed.

1 user thanked author for this post.

It looks annoying, but I’d like to try this “Group B” thing. Basically, on a fresh new installation of W7 SP1, I install the followings:

KB3177467

KB3172605

Uncheck all Roll-Up updates and problematic updates, keep only Security and .net framework/c++ redistributable updates and install all of them.

Is that right? Also, for IDK what reason, another guy here says to install only Office updates starting from June 2017: https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-updating-in-2018/291a9582-17a7-4942-8145-8d9f68265189?tm=1524412557788

Although this is for Group A, read over the external to Windows Update and Windows Update settings in this post. Set them before you go online if they are available. Some will not be available until after updates are installed.

For a Clean Install what I use (for Group B) is:BEFORE YOU START
Download KB3020369, KB3138612, KB3177467, and KB3172605 for your bitedness. (I know you are going to ask. Yes, all four)

OFFLINE:1. Install Win7. Reboot.2. If your installer does not include SP1, install SP1. Reboot.3. Open Administrative Tools\Services. Highlight Win Update Service and at top left click “Stop”4. Manually install the four downloaded patches in the order above. Reboot.5.In Windows Update Change settings – CHECK “Give me updates for other MS produces,” and set updates to “Never Check”

ONLINE:1. Check for updates2. If you don’t want the telemetry updates, HIDE the ones mentioned at the top of AKB2000003. You will have to keep watching for these every time before you install updates. Particularly KB2952664.3. To be sure you get all the necessary updates: HIDE the current “Security Monthly Quality ROLLUP,” check for updates, HIDE the next earlier “Security Monthly Quality ROLLUP,” check for updates. Repeat this procedure until you have hidden the “October 2016 Monthly ROLLUP.”4. Download and Install manually from AKB2000003, the Security Only Quality Updates from Oct 2016 to the current month and the latest Cumulative Update for IE11. Reboot wait 15 min. & check.5. HIDE any other updates you don’t want to install (drivers, anything that has caused a problem with your PC, features you don’t want, etc)6. Install everything else that is CHECKED in the “important updates” list. Reboot. (I like to do this in batches. (“Updates for Win7,”) reboot wait 5 min. & check, (IE11, .NET 4.5.2 or 4.6.1 ONLY, any additional “Updates for Win7,” and in the optionals KB2670838 Platform Update), reboot wait 5 min. & check, (any “Update for User-Mode Driver Framework”, Update for Kernel-Mode Driver Framework,” and “Update for ActiveX Killbits”), reboot wait 5 min. & check, (“Security Updates for Win7”), reboot wait 5 min. & check, (“Security Updates for MS .NET”), reboot wait 5 min. & check, (anything else that is CHECKED in the “important updates” list), reboot wait 5 min. & check.)7.Repeat #5 and #6 until there is nothing left that is CHECKED in the “important updates” list.9.HIDE any UNCHECKED important updates that you don’t intend to install in the future.10. Reboot. Wait 30 minutes. Run Disk Cleanup, click “Cleanup System Files,” be sure Windows Update Cleanup is checked, click OK.

I use Office 2010. I install all the checked important updates. from WU
I also install the .NET Rollups that are checked important updates in WU.

1 user thanked author for this post.

Even if IE updates are listed multiple times on https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/ I have to install all of them? I just have to stick to that list anyway?

1 user thanked author for this post.

@PKCano: Thank you for your very clear reference to the IE cumulative update being part of the Rollup you install as Group A. I sincerely appreciate the clear, concise reply. Your expertise is outstanding, as it always is. Thank you once again, PK. 🙂

2 users thanked author for this post.

You can’t install all the standalone WU Security-only patches in a row: you have to turn off the WU update service -> turn on -> install one update and keep repeating this procedure or the MSU installer will get stuck into a loop of “searching for updates for this computer” as documented here:

The Windows Security-only patches have to be downloaded from the catalogue and installed individually using the M/S standalone installer. I myself would have WU turned off whilst doing this, until I want it to do a search afterwards. But forgive me if I’ve misunderstood your point.

1 user thanked author for this post.

You misunderstood. Windows 7 has lots of unfixed bugs. One of them causes your PC to get stuck in a loop “searching for updates for this computer” when you the M/S standalone installers downloaded from the catalogue. That’s why you have to keep disabling and re-enabling the WU service after every single update.

4 users thanked author for this post.

Under “Optional” updates I have “2017-10 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 7 and Server 2008 R2 for x64 (KB4043766)”, update framework driver mode, a lot of “update for windows 7 64bit based systems”. Should I Install them even if optional?

1 user thanked author for this post.

Seeing as we have probably 19 more months of Win7 Group B security-only patches & 55 more months of Win8.1 Group B security-only patches coming from MSFT, might I suggest splitting AKB 2000003 into separate AKBs, 1 for Win7 & another for Win8.1?

As it is now, it will only keep getting larger and may eventually grow too big to keep together in a single post. Once support for Win7 stops in 2020, it would make more sense to separate out Win8.1 and why wait until it gets larger to do it?

No real necessity to do it now but either way, I find this AKB to be extremely valuable especially to those who perform clean installs and wish to remain in Group B and I thank you all for keeping this AKB updated.

The Security Only updates are not cumulative. Take the ones you are missing and install them in order (Stop the Windows Update Service – you do not need to reboot in between). You do not need to uninstall anything.

Was there ever a definitive answer whether or not KB4099950 applies to Group B or not? I have tried searching but can’t find an answer.

What happens if the security only patches are applied and the user has the NIC/IP error that KB4099950 is for? Can KB4099950 then be installed to fix it or it must be run before the March Security Only KB4088878?

is not a Group B patch. Group B patches are Windows SO and IE11 Cumulative.

However, you need to install KB4099950.
If it was installed on your PC before April 17, you need to uninstall it and the March SO first b/c KB4099950 was modified 4/17. Then you need to download the current version of KB4099950 from the MS Catalog. There are two files (an .msu and a .exe). To install, double click on the .msu – the .exe will be automatically executed in the process of the installation.

Install KB4099950 before the March SO (do not reboot), install the March SO, and reboot immediately after.

Thank you PKCano for posting the list of “Group B” Win7 updates. Please correct me if I have the following procedure wrong:

I have downloaded the Jan-May Security Only updates, along with KB4099950 and IE11 KB4103768. I will install Jan, then Feb updates, followed by KB4099950 as I do not have the “C:\Windows\LOGS\PCIClearStaleCache.txt” file present. I will then install Mar, Apr, and May SO updates, followed lastly with IE11 KB4103768. If I have this correct, when do I reboot during the procedure?

I have downloaded the Jan-May Security Only updates, along with KB4099950 and IE11 KB4103768. I will install Jan, then Feb updates, followed by KB4099950 as I do not have the “C:\Windows\LOGS\PCIClearStaleCache.txt” file present. I will then install Mar, Apr, and May SO updates, followed lastly with IE11 KB4103768. If I have this correct, when do I reboot during the procedure?

So, taking that into consideration and the fact that I want to create a new clean image backup and move on into something more productive,… I wanted to update.

Would you recommend it?

How would you do it? Any specific installation order other than the chronological one?

Anything I can do regarding the Meltdown-Spectre situation from this whole 2018? I am not up to date about that, but my retailer (Asus) is not offering any BIOS update (they are only offering Intel 6th, 7th & 8th gen, and my processor is 3rd gen) and I would not want to waste any processing power into fixing a “there-is-not-any-real-threat-yet” problem.

First let’s get the correct information about DEFCON. The DEFCON rating only applies to the current month’s updates. The fact that we are at DEFCON-2 does not mean you can’t update anything. It only means that THIS month’s updates are on hold. Updates from previous months have been cleared (or not) and according to that month’s instructions are safe to install (or not). So th only on-hold as of today, are June 2018 Updates.

My recommendation for your case:
+ You are up to date as of your April 2017 image.
+ Download all the security-only updates. the Dec. 2017 IECU, and the May IECU.
+ Set Win Update to “Never check.” Reboot.
+ Stop (not disable) the Windows Update Service. Leave the Services window open.
+ Start with the 2017 security-only updates you are missing and install them in order. Then install the Dec. 2017 IECU. You do not have to reboot between the patches.
+ Reboot, wait 15 minutes after login (Task Manager usage should drop to 0 or a very small number)
+ Stop (not disable) the Windows Update Service. Leave the Services window open.
+ Install the May 2018 Security-only update, then Jan-April SO, then the May IECU (Hopefully, installing May’s SO first will take advantage of fixes). If you find a second .exe file with any of the SOs, download it and put it in the same location as the patches but don’t click on it)
+ Reboot.

What you are doing is updating to Dec 2017 and rebooting. You may want to make an image at this point b/c Dec 2017 is stable and before the M/S mitigation. Then catch up to date and wait for the DEFCON-3 for June patches.

4 users thanked author for this post.

Thank you for that quick response. It is really helpful, explicative and with very easy to follow instructions. I will do as you said.

2 tiny follow-up questions:

You said to update until May 2018, but the 2018 June SO (4284878) and IECU (4230450) are listed as safe in the Patch list master. Should I still wait for the DEFCON 3?

That second .exe file you were talking about. I don’t understand what are you refering to. Is that the Jan 2018 KB 4073576 and Jan 2018 KB 4077561? Does that also include Nov 2017 KB 4055038 (as listed at the 2000003 post)? If so: do I download them and leave them in the same folder with the other SO updates but don’t click on them? Will they get installed somehow just by clicking in that month SO? Or in case I have to copy those .msi files somewhere. Where do they go specifically?

About the DEFCON rating clarification. Thanks for explaning it. I get that is only about the current month updates. But in this situation, or whenever I haven’t had the time to update the PC in a few months it gets quite time-consuming to follow all the issues with every update / OS version / MSOffice / IE / Flash / Meltdown-Spectre… (although that has been easier in the last months/year with this post and the master patch list). So I usually rather wait until you see a general “go ahead”, or you have to invest a full morning or whole day going through countless posts and explanations since I last updated (more than a year in this case). But again, I feel like this rarely happen anymore.

The second file (the .exe) will appear in the download link for the SO if it is still needed. The SOs have a .msu extension. If you also see an .exe when you click on the link, download it also. It has no KB number. It will get automatically executed in the SO installation process. You don’t have to do anything with it except put it in the same location (folder or whatever) as the SO.

Woody will probably raise the DEFCON number this weekend or sometime during next week. Certainly before the next Patch Tues.

This issue you are referring to, Purg2, has surfaced repeatedly since KB 4345459 showed up last month, with variable results as to conclusions.

In the interests of Patching Science, I recently performed the following two experiments: (1) Installed KB 4338823 (after creating a restore point where I could beat a retreat to if the action got too hot after updating.) Then restarted and tested to see if my installed applications were working normally, performed the most important (to me) activities… and all seemed well. Then, (2) at the instigation of DrBonzo, I continued experimenting, and installed KB 4345459 following the previously mentioned steps, except for the restore point, as one seemed enough already. Again, everything copacetic.

In conclusion: do (1), or do (1) and (2). Or, if you are really ambitious, maybe carry out your own experiment and install KB 4345459 by itself. My expectation is that, probably, you still shall live long and prosper.

2 users thanked author for this post.

FWIW, I patched WIN 7 Starter 32 bit last night. Did the IE 11 (4339093) first, then rebooted. Then I did OscarCP’s 1) and 2) with a reboot after each patch. Everything is fine.

Also, there’s a post from Aboddi86 somewhere here on AskWoody where he states that 4345459 does indeed replace 4338823. I’ve gotta run right now, but I’ll try to find that post later. So, I think you could forget about the original SO patch (4338823) and just do 4345459 and be just fine. I did both just because I was curious and was using a guinnea pig machine.

2 users thanked author for this post.

Thank you for the update info StruldBrug, i also updated 5 win7 32bit (mixed Intel and AMD processors) for July and August with the SO’s, IE’s and MSRT’s and Office 2010 (on one machine). DISM kicked out KB2509553 MS11-030 from 04/11/2011 a LLMNR DNS resolution patch…

1 user thanked author for this post.

I follow Windows 7 Group B for the security only and internet explorer updates, I check every few days to see whether Woody has moved from Defcon 2 to Defcon 3 but I seemed to have missed when it was safe to install the July updates.

2 users thanked author for this post.

Given that the July 2018 security only update for Windows 7 was considered unsafe to install, how do I now go about installing both the July 2018 and August 2018 security only updates safely? Surely, as soon as I install the July 2018 update and reboot, my system will, by all accounts, be in an unsafe state.

I presume that I should forget about KB4338823 completely because KB4345459 is a complete replacement for it?

And I presume that I need only install the Aug 2018 security only update for IE, KB4343205, because IE security only updates are cumulative?

1 user thanked author for this post.

What does Group B (W7) do about .net framework for August? Microsoft Update Catalog provides a slew of downloads (.exe and .msi) when requesting KB4345590 or 4345679. Nothing offered in Windows Updates regarding .net in August. Please advise!

As I understand it, Group B doesn’t address .NET. So you need to decide whether you want the .NET Rollup or the Security Only patches. If you want the Rollup, just let Windows Update do the install for you – it “knows” which of the slew of downloads you saw your computer needs. If you want the Security Only, then I would suggest you download ALL – actually you should find 2 equivalent sets one set being .exe and the other being .msi, either set will do – of the slew of downloads you saw for 4345679. Then install ALL of them. You may find that all will install, or you may find only some will with others giving a ‘not applicable to your computer’ message. That usually just means your system doesn’t have the version of .NET that patch is for. When you’re done, you might go back and try to install any that didn’t install initially, just to be sure.

Any way, that’s what I used to do and it served me well.

PS – If you know exactly which versions of .NET you have, you can eliminate many of the slew of downloads you saw and only download/install the relevant ones. I used the brute force method because I think it’s a pain to find out which versions I have and I never remembered to write them down when I found out! There are ways to find out what versions you have but I don’t know them off the top of my head.

Good luck!

1 user thanked author for this post.

The .NET version(s) that one has are listed in Control Panel > Programs and Features, under Microsoft .NET Framework n. ….
I have 4.7.1, which replaced (and eliminated the listings of) 3.5.n, and perhaps some 2.n.

3 users thanked author for this post.

If you follow Steps B3 through B6 above you will find .Net updates will show up checked within Windows Update, if any are available. There isn’t telemetry associated with the cumulative .Net updates, if that is your reason for following Group B updating. So you can install any checked .Net updates… but don’t install any unchecked updates. Remember to uncheck the Monthly Quality and Security update before installing any other checked updates.

1 user thanked author for this post.

RE: #216134 “What does Group B (W7) do about .net framework for August? Microsoft Update Catalog provides a slew of downloads (.exe and .msi) when requesting KB4345590 or 4345679. Nothing offered in Windows Updates regarding .net in August. Please advise!”

Thank you for the responses to my inquiry (above), but I think some missed the point.

1. Windows Updates does NOT show any .NET Framework patches for download. I hid July ones because of issues, but when I checked for August (a day or two ago), there were NO updates for .NET (checked or unchecked).

2. I went to MS Catalog and looked for KB345590. It has a download link but when you click it, it shows 5 different files. If I read DrBonzo correctly, I guess I need to download these 5 files and install each of them if I want KB345590. However, does anyone know why Windows Update didn’t offer KB455590?

Further Information:

3. I am assuming I need .NET Framework patches because they provide security fixes, and I know I haven’t installed any for at least 2-3 months.

Perhaps some/all .NET patches inadvertently got installed without your knowledge? That sort of thing has been known to happen. Open Windows Update. On the left click on ‘view update history’ and look for .NET patches. Also on the left, click on ‘installed updates’ and check for patches.

As of last night I was offered the KB4345590 patches by Windows Update on 2 Win 7 computers. Installed it on both machines via WU. This morning all I was offered and am currently being offered is .NET 4.7.2, which isn’t really a patch, but rather an ‘upgrade’ from 4.7.1.

I checked like you suggested, and the only recent .NET Framework patches installed were from June ’18, so what I wanted was not inadvertently installed. Thank you for the suggestion, however, as well as your other comments.

PaulK:

Yes, I realize this is what you get. I clicked on the appropriate one and was then offered 5 files to download (some ending in .exe and some in .msu plus another). My original question was in regard to whether or not I should download & install all 5 files offered or just specific ones. Thank you for taking the time to provide a screenshot. See below for the resolution.

Elly:

I did as you suggested (looked at hidden updates), and it turned out that the .NET Framework patch I had previously hid was KB 4345590, which is what I was looking for. Apparently, when I accessed the July Windows updates and hid some, it was actually in mid-August not July. Thus, I had hidden the August .NET Framework patch thinking it was the July patch. I subsequently downloaded & installed it.

Thank you to everyone who replied and offered suggestions. A special thanks to Elly since his suggestion led to resolution of the issue.

Over and out. Be Calm and Carry On the good work on askwoody.com.

1 user thanked author for this post.

Just mention: long list of KBs was superseded by KB4457145 and much more longer list of KBs superseded by KB4457144. Anytime we should consider steps of B group and supersedences, month by month it can change and honestly, not every month I rescan WU from scratch on clean W7SP1, but this month… I will.

WS7 SP1 Home x64 Group B September 08 Beta Test
Configuration: Simple home consumer with no network, no peripherals, no office, no Vmware
Malware check: Eight scan tools run, including MSRT, and quarterly anti-rootkit, all clean
System File Integrity: SFC-CBS log produced and quarterly SURT log, both clean
Backup: New full image of system drive created
Updates:
KB4457145 OS Security Only
KB4457426 IE Cumulative
KB4457918 .Net Rollup
KB4463376 IE Cumulative (fix)

After each update that offered “restart now”, first started Task Manager and waited for Trusted
Installer to complete. This took about 5-10 minutes. Then restart was selected.
After each restart, Event Viewer was checked. Only warning showed after .Net update, IIS metabase
updates were aborted … IIS isn’t installed nor is it wanted.
Tested applications, known to require .net 4.5 and 4.6, all okay. Normal operations appear A-Ok.

2 users thanked author for this post.

just installed KB4463376-IE, and KB4457145-Sept. SO from here and KB890830, and KB4457044-.Net 3.5.1 (the part of the KB4457198-.Net rollup the machine wanted) using win update on win7-32bit and it came back up for air! I must have installed KB3177467 and then removed it because of problem(s) it had two years ago? the file remnants are probably in the SxS basement? or not.
Anyway, the “b” style worked for September 2018 patches.

1 user thanked author for this post.

I follow Windows 7 (x64) Group B. I’m up to date on the security only and IE11 updates but I’m not up to date on the security only updates for .NET Framework 4.7.1

I’ve searched the site and been onto the master patch list page but I’m not sure which ones to install. I would be extremely grateful if someone could tell me which security only .NET Framework 4.7.1 to install. Microsoft downloads the rollups and previews but I hide those.

1 user thanked author for this post.

On this MS page you will find the KB number for the different versions of .NET SO for Sept, 2018. When you go to the Catalog, search for KB4457914 (this is the bundle for all the .NET SO updates). Then click on “download,” choose the link that applies to the .NET version.

You can find the MS page by searching for the bundle KB number, clicking on the name of the update (instead of “download”), and in the box that pops up, choosing “More information.”

3 users thanked author for this post.

On the Microsoft Update Catalogue, there are two updates for KB4457914 that mention Windows 7. Both mention 4.7.1. One mentions “for Windows 7”, the other mentions “Windows 7 and Server 2008 R2 for x64”, I presume it is the latter but would you please confirm that is correct, as I don’t want to download the wrong one.

I presume that I will need to install previous months .NET updates before installing the September one, how far back should I go, the last one I have is February.

1 user thanked author for this post.

Looking at my hidden updates for .NET they are all previews or rollups, Microsoft doesn’t appear to have downloaded any of the security only. In order to check that I do have all the ones I need, where would I find the update KB numbers (if there are any) since February.

Look at the description of the Sept SO .NET. Use parts of it to search the Catalog (use a + between search terms). something like “2018 + security only update for .NET Framework” – should give you all for this year.

To be honest with you, Group B is about telemetry. .NET Rollups should be safe in that respect. In fact, Group B instructions recommend the .NET Rollups. That way, you don’t have to worry about which update goes with which version – WU takes care of it for you.

Hello to @PKCano & @Kirsty! Since Microsoft has decided to include KB2976978 in the Monthly Rollup (interestingly, I still see it in Windows Update for my Win8.1 64-bit machine), I’ve finally decided to move to Group B this month. Besides downloading KB4462941 (Security Only update) & KB4462949 (IE11 Cumulative Security update) from the Catalog, should I also download & apply KB890830 (Malicious Software Removal Tool), KB4459924 (Security & Quality Update for .NET Framework), & KB4462930 (Update for Adobe Flash Player) from the Catalog as well?

Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
Wild Bill Rides Again...

1 user thanked author for this post.

I’ve been away for a while and am looking for a list of security-only updates for Windows 7 x64 that are safe to install starting September 2017 until now. I checked here but it’s unclear to me which ones are safe and which ones aren’t safe and should be avoided.

Could it be possible to just post a list of recommended security-only updates for Windows 7 x64 that can safely be installed?

1 user thanked author for this post.

I know, Group B is about Win SO updating, but still believe, this is right place for topic here.

I am GroupB + .NET (secu and quality) and every month I do prepare such a collection of files and scripts, to be able install Windows in exact state of that month, in 3 ways (Group A, GroupB + NET 461 and GroupB + NET 452).

Since, October was really poor month, later then usual, right now, Im closing (making) my “Win 7 – 10-2018” set and found something. Those “.NET secu and quality” … seems not to be so cumulative.

After clean install of my “Win7 GroupB + NET in 2018-10 state”, next WU scan ask to install KB4457918 (2018-09 .NET). wow, strange. I hit it and analyze WinUpdate.log, which shows me, KB4457044 (.NET 3.5.1 of 2018-09) has been installed.

This shows me, those .NET patches are not so cumulative, as I presume (4.5 and 4.6 actually ARE cumulative, but .NET 3.5.1 not and I have to install 351 patch 2018-09 AND 2018-10)

Any ideas why?

Whats more confusing to me is the name, listed in MS Catalogue. In my language (Czech) its written (writing exact translation to EN)> 2018-XY cumulative update for security and quality. But WinServer2008R2 version (not translated in Czech version of MSCatalogue) in original> Security and Quality Rollup for …..

Now, I am thinking, whats exact meaning of “Rollup” and “cumulative”. Is this MS bug or bad translation? Should it be cumulative, month after month those .NET updates? For anybody, not installing separate from scratch Win7 in 2 separate version (September and October) is this ….. simply invissible.

Ideas?

2 users thanked author for this post.

“Rollup” means a bundle. many patches together.
The .NET Rollup contains individual patches for multiple versions of .NET. But the Rollup does not necessarily contain updates for ALL versions of .NET – in any given month, some versions of .NET may not have an update. If there have been no changes to one of the versions, there may not be a patch for it. But Windows Update doesn’t discriminate ahead of time – everyone gets the Rollup through Windows update. It only uses the individual patches that apply to each individual machine.

“Cumulative” implies the current one contains current fixes plus all the previous fixes.

3 users thanked author for this post.

Jul 2018 KB 4345459 (released 7/16/2018, replaces KB 4338823, fixes 0xD1 error, W3SVC, tcpip.sys) Does this mean that you still have to install 4338823 before or that you can skip it on a new Windows 7 installation?

Also, in the case I want to make an AiO W7 ISO with all the Group B updates already applied, what else do I need to be really complete? I added KB3020369, KB3138612, KB3177467, KB3172605, all the list of security updates till November 2018, I would need also the rest of importa updates + .NET + Office, but where to find those? I saw there are tons of apps like WHDownloader, Windows Update Downloader, etc. but most have discontinued support or list useless updates as “needed”/”adviced”, so I can’t seem to trust them…

KB3020369, KB3138612, KB3177467, KB3172605 – These need to be added offline immediately after installing Win7+SP1. They will speed up the search for updates through Windows Update.

Windows Update Mini Tool (WUMT) can help you download the updates. Many here use it. There are discussions about it’s use here on the site. Start by looking under the “Tools” Forum. Then use the search box. on the right side of the site.

You may find some information that will help here, and from this post to several below it. Realize these are a year old.

1 user thanked author for this post.

I see that now there is a new tool: https://www.askwoody.com/forums/topic/windows-update-manager-wumgr/

Anyway, both important and recommended updates are mixed together, it doesn’t specify which one is under “category” column, nor it makes distinction for “.NET” which is under the category “Windows 7”. The only thing it can differentiate is “Visual Studio”, “Office” and “Windows Defender”…

Also I don’t understand why you linked those posts PKCano: are you indirectly saying that you don’t believe in making the life easier embedding all updates in an ISO and you prefer to do everything manually on every single machine you come across?

Anyway, I’m thinking to just embed all security updates and that’s it… I guess it shouldn’t take too much to install the rest which is just some minor hotfixes, .NET and Office… At least I hope, I’m gonna make a try on a new machine. Then I can just write down all extra stuff I had to install looking at WU chronology and embed it in the ISO for the next time I guess…

“Rollup” means a bundle….
“Cumulative” implies the current one contains current fixes plus all the previous fixes.

Well, well. Thats valid theory, OK so far. And since MS in Czech translation of those KBs names use explicitly word “kumulativni” (cumulative), whats called Rollup in original english written name, at least this is bad bad translation, aghrrr.

Still, I believe, its bug, a sort of. Even (KB) numbers of 2018-10 are lower than 2018-09 numbers, interesting. I personally have idea, why. And another interesting fact is, I do backtrace all my separate “Win sets”, month by month back in past (have them since patchocalypse) and found: however nobody ever said, their are cumulative (just Rollups), they actually ARE. All the time since 2016-10, every .NET related patches have been replaced during next update (and effectivelly, they were cumulative, untill now).

There are other facts supporting this concept – D3compiler patch (4019990, signature dated 4/28/2017) included in every next rollup …. or more complicated example: 2017-11 .NET rollup includes D3compiler patch (initially released 2017-05 rollup), 3.5.1 patch unchanged since 2017-09 rollup, 4.5.2 patch updated little bit 2017-10 (socalled swedish lang fix 🙂 of 2017-09 release and the only one updated at 2017-11 patch for 4.6 …. this is for me proof at least they tried to be cumulative.

I am “digging” for these details with single reason – is it just a supredences/metadata error (like we saw plenty of them) or is this really remarkable change of concept of .NET patch model? In the second case, I suggest add some note to KB20000000000003 or anywhere you think its usefull.

I posted this previously in the Questions: Windows 7 forum, but I think it may be the wrong place for questions regarding 2018 patches. Please forgive me if it’s incorrect to post it here.

I rolled back from March, 2018 to December, 2017 and have installed no Windows updates in 2018 except for Security Essentials definitions. I work in video editing and production, and observed an impact to performance after the Jan. -> March, 2018 security only updates, hence the rollback.

What do I need to install now in November, 2018 that will not drastically impact
my computer performance? Is it safe to install the latest IE11 cumulative update?
What about .NET framework updates–I am running version 3.5.30729.5420?

I’ve read Susan Bradley’s post #218232 about installing all of the 2018 updates, then disabling Spectre/Meltdown protections via registry edits. Is this a viable solution or should I just stay put at Dec. 2017?

The latest IE11 Cumulative Update should be OK. I have not heard anything about the .NET patches causing a slowdown.

As far as the Security-only patches – I know there were slowdowns associated with the Jan-Mar patches. About the rest, well, that’s a question. You could install the patches and disable the Meltdown/Spectre protections in the Registry and see if that works. The patches can be uninstalled and the Registry setting set back to original if it doesn’t work. That’s a lot of work.

Before you try anything like that, be sure you backup your data and make a full image of your computer. Then set a restore point along the way. And don’t forget you will need the Servicing Stack update as well.

Install whatever is in WU for your version. Windows Update will handle whatever needs to be handled. Be careful not to get installers for later versions of .NET than what you have. I know the installer for .NET 4.7.2 sometimes shows up.

1 user thanked author for this post.

@PKCano: How do we know which version we have of the .NET ? I have nothing pending now, other than one unchecked .NET in the Optionals, and I won’t touch that one. Thank you again for your wealth of information and guidance. Great work! 🙂

There are three separate .NET updates listed in WU for my version (3.5.1):
KB3122648, KB2972211, and KB2973112.
There is also the Security and Quality Rollup for .NET Framework (KB4457918).
Should I simply install the Security and Quality Rollup?

1 user thanked author for this post.

I would go ahead and let the older ones install as well. WU won’t overwrite newer files with older ones. If those are not needed they will simply not be installed, but it will satisfy whatever WU needs so they don’t keep showing up.

As a Group B-er, I just downloaded “2018-11 Security Only Quality Update for Windows 7 for x64-based Systems (KB4467106)” from the “2000003” list. Its .msu shows only 8.0 MB in size. Since it’s been larger in the past, I also checked the Microsoft Update Catalog, and saw that its .msu size is 36.6 MB.

I also had the same experience as SueW had when I downloaded and saved the November Win 7 x6 (KB4467106) Security Only file from the “2000003” list on 12/7. At first I didn’t take note of the size of the file, and it was only after 2 attempts at trying to install it and receiving the following error & message: 0X8007000d “Data Is Invalid”, that I realized there was a problem with the file. It was at that point when I questioned the size of the file compared to previous Win 7 SO updates I’d downloaded and installed. I too went to the Microsoft Update Catalog and saw that the size of the download should be 36.6 MB rather than 8MB. I went ahead and downloaded the file from the catalog. It installed without a hitch along with the rest of the November SO updates. Later that same day, 12/7, I used the link from the “200003” list and downloaded and saved another copy of the same file, and it still only downloaded an 8MB file.

I can also confirm that after that day the file downloaded from the “200003” link downloads the correct 36.6 MB file as PKCano has so indicated.

1 user thanked author for this post.

When you download a file, and don’t give the download time to finish, you will actually find two files. One will have the correct name, the other a .part “partial” extension, and the files won’t have the right size. Perhaps you didn’t wait long enough for the download to complete? Or maybe MS is messing up, b/c the links are actually direct download links to the MS Catalog. There is NO indirect download.

PKCano, I have no clue as to what caused the link to download only an 8 MB file, but I can say with 100% certainty that the file had completely finished downloading to the location I intended, and the file has the same file name as the correct 36.6MB file. Not only that, as I previously stated, I was able to duplicate it by downloading it a second time about an hour later.

I still have that second copy of the 8MB file if it is of any use to you.

2 users thanked author for this post.

I’ll back up both of their claims, I also downloaded an 8,192 kb file three times using the direct link from here on December 5th before finally getting the correct one on the fourth attempt. I just chocked it up as a downloading issue on my end but obviously it wasn’t.

1 user thanked author for this post.

Over the weekend I remotely installed the Group B updates on several computers using direct download links from the Catalog and on NUMEROUS occasions downloaded these same “incomplete” files mentioned above. It happened while downloading both the SO update and the IE SO update and each time the errant file downloaded was exactly 8,192 kb.

This has to be an issue with Microsoft as I downloaded these updates from computers scattered all around the US. Just figured I’d add this latest info in here so others downloading these screwed up files from M$ knows the problem absolutely is NOT on their end.

thank you for the “green” light and thank you PK for helping on Christmas!

i did the out of band IE update the 19th along with the December SO, no problem(s). today i finished the updates on “B” style win7 32 bit systems. the machine with Office ’10 wanted me to download and run KB947821 the 151.6 MB “System Update Readiness Tool!” i scanned for updates after hiding this bad fish and it showed up for an encore and then slinked away on the second rescan ha, ha on you Microsoft… i skipped that ordeal (i’ve fallen in that trap b4), installed the patches and am on my merry way to happy new years!

ran disk cleanup\DISM and there were no updates removed this time. whew, glad that is over for a few days way to much care and feeding for windows 7, the XP downloaded and installed the December updates on the 11th in under 4, yes four minutes and the linux does not require user input to stay on the straight and narrow…

2 users thanked author for this post.

I’m in group B. I’ve been trying to download the Win7x64 November SO update. I’ve gone directly to the catalog (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4467106) and it keeps giving me a faulty ~8MB file. I saw in comments that people were eventually able to get the correct file from Microsoft, but I’ve been trying for some time and it isn’t happening. Does anyone have a copy of the actual update they would be willing to share with me?

You can download KB4467106 from AKB2000003 on this site. The links are direct download from the Catalog. However, when this happened before, the problem was on the Microsoft end, not in AKB2000003. People just kept trying till it worked.

The file can not be uploaded to AskWoody, so the exchange would have to take place through Dropbox or some similar online storage. If you get the update from someone else, be sure to check the authenticity.

Thanks, PKCano. As far as I can tell, the page you linked simply links directly to the catalog download I referenced. I did try getting the update from there originally, but since it’s the same source, no luck. I’ve been trying to download this update since November, and now it’s almost January. Every single time I click it, it just gives me the unusable 8 MB file. I really hope someone has a copy and is willing to upload it somewhere.

If no one does, is it OK to just skip this one and move on to the December update?

In my role as neighborhood Santa in the last few days, I’ve downloaded a bunch of patches from the Catalog. The MS servers have been, shall we say, very inconsistent as far as time required for successful download, whether downloads were successful, etc. etc. etc,. Using IE to download seemed to help as did a File —> exit command from the menu, and then a fresh restart of IE (IE 11 on all the computers I used) and then a download attempt. I ran into your problem a few times and as PKCano said, just keep trying.

It may help to check your Download folder (or where-ever you save downloaded files to) and delete any existing copies of the file, then close your browser and dump your temporary internet files before trying to download it again.

I had the same problem you’re having while updating numerous computers last week and it may just be a coincidence but going through that process a couple times worked on the last three I updated.

1 user thanked author for this post.

PK – I’ve been too busy with other things to keep up after all these years of playing “I’m a B type, I can do this” with microserf. Finally I’ve gotten so far behind (family issues) that in trying to catch up I’ve found that I cannot do so. My last catch up was Sept 2018 – KB4457145. That worked, but when I tried to download KB4457426 and/or KB4463376 for IE nothing happened. No download, and no other info. I checked my link and it’s fine.

The IE11 updates are CUMULATIVE. So you only need the last one. If you are patching through Dec 2018, use KB4483187. If you are using Jan patches, use the one for Jan. In any case, you need only one. The links to some of the earlier patches may not be valid if MS has pulled them b/c they’ve been superseded.

on the other hand, when the KB4483187 IE11 update is installed (and I removed/uninstalled the old KB3185319 IE11 update from my Win7 & Win8.1 computers) and ran Windows Update, it no longer offered the old IE11 updates like KB3185319. so it looks like KB4483187 completely replaces KB3185319 & older IE11 updates.

1 user thanked author for this post.

I forgot to mention, the MS Catalog download (direct links in AKB2000003) has been messed up for a couple of months. People have been getting 8MB files instead of the patches (Read above complaints) even when downloading directly from the MS page. Be patient and try again. Eventually it seems to work.

i updated win7 32 bit (Dell 4300 Dimension with Intel 2.8 MHz SL7EY, 1GB PC133 ram) today using the links on AKB2000003 with no issues. Windows update (after the standalone January SO and IE11) offered KB4481480 January .Net rollup and KB890830 January MSRT also no installation issues. i will wait a bit longer (better DEFCON position) to update the remaining 3 machines.

The .Net update ngen / mscorsvw.exe took 4-6 minutes to run the servicing routine on all three machines, and wrecked my disk fragmentation, as usual. If interested Defraggler shows the (temporary) scrambling to specific files on the drive caused by .Net updates.

If you are patching through Dec 2018, use KB4483187. If you are using Jan patches, use the one for Jan. In any case, you need only one.

Next “second Tue” approaching, so I also made some tests with January WU state. And I have the same idea as EP. In general, IE patches should be cumulative, but that Dec2018 incident (out of band ie patch KB4483187, replacing regular KB4470199) is not that fashion. Because, January IE patch KB4480965 in theory, it should include features/fixes from 4483187, but it seems it doesnt. Tried that in GroupA way, tried that in GroupB way, after all updates (including Jan IE 4480965), next WU scan asks for KB4483187.

Whats more confusing, MS Catalogue about KB4480965, it mention, it is replacing both Dec IE patches. Strange, MS confirm its cumulative (by mention in catalogue) and also deny it (with WU scan result). This could be supredences problem or even worse – that idea about “cumulative IE” is not valid anymore.

And since, we, the people of group B, rely on exact information, without possibility to verify it by WU scans, this should be investigate very carefully. Personally, I also will do some research about the similar situation in Sept IE patches (KB4457426 vs KB4463376).

This deserve more care, that just “So, noted”.

HzK

p.s. PKCano, if you really do bielive “only just 1 last IE patch”, why there are so many of them in official “Group B list”

p.s. PKCano, if you really do bielive “only just 1 last IE patch”, why there are so many of them in official “Group B list”

Because, by definition, they are cumulative.
The list is populated monthly and the past ones are not removed. It is ongoing.

The problem you are seeing is because there can be a difference between metadata supersedence and component supersedence. A patch can REPLACE the components of another patch and still not METADATA supercede it.

An example of this the Monthly ROLLUP and the Monthly ROLLUP PREVIEW.
The Monthly ROLLUP (issued on Patch Tues) is composed of three parts: non-security patches, security patches, and the IE11 CU. It is a SECURITY Update and is CHECKED in the Important Update list.
The Monthly ROLLUP PREVIEW (issued on the third Tues of later the same month) is composed of four parts: the three components of the Monthly ROLLUP plus the non-security updates for the following month. It REPLACES the Monthly Rollup component-wise, but because it is a NON-SECURITY update, it cannot METADATASUPERCEDE the the Rollup. Therefore, it appears in Windows Update as an UNCHECKED Optional Update. A non-security update does not metadata supercede a security update.

You have the same situation with KB4483187. It REPLACES KB4470199, but it does not METADATA supercede it, so you will keep seeing it. But if you install it, it will not overwrite the following month’s IE11 CU components because the later CU has COMPONENT supercedence.

Windows Update works on metadata supercedence. The actual Updating Process works on component supersedence.

1 user thanked author for this post.

Sorry in advance for such a blasphemic question, but really.. it’s still unclear to me whether or not GroupB are prescribed to integrate either of those two KB into their Gold Windows 7 x64 Installer Media Image:

Service Pack 1 (KB976932)

Enterprise Rollup Update (KB2775511)

Convenience Rollup Update (KB3125574)

It does seems clear to me that SP1 is a sure go, but is it for GroupB, without any post-deploy “defusing” operations ?

@owdrtn your question about Installer Media images isn’t related to the monthly Group B updates in AKB2000003. I suggest you post your question in the AdminIT Lounge forum, perhaps in the Managing Updates in Organisations topic of that forum.

I’ve recently discovered the Simplix Pack to create a fully updated image of Windows 7, but I’m wondering whether it’s better or worse than the list here provided. I’m asking for some feedbacks based on the list of updates that the latest version of the program integrates: https://pastebin.com/UhAf8s3c To me it looks like it integrates lots of useless old updates and that it doesn’t use Security-only updates.

Basically I’m asking if it’s better to use a fully updated W7 image where I integrate the Security-only patches found here on AskWoody or use the updated W7 image created with the Simplix Pack.

I suspect any updated image you find that was made after October 2016, when Microsoft started the Rollups, will include the Rollups and not the Security-only Updates. The updated images will be all the Rollups included until the date of imaging (there was a new Win7 image current through Nov 2018 made just recently).

If you want the Security-only patches, you will need to use an older ISO and manually update. The list in AKB2000003 are direct links to the MS Catalog, so if you use them, you have the latest SO patches.

This is not a downloaded ISO image, it’s a tool that automatically downloads all the needed updates (excluding telemetry updates) and integrates them in your own WIM image. The tool gets updated every month with the latest updates.

I was only asking for a feedback about the updates that got integrated into my W7 SP1 original install.wim compared to a integrating just the AskWoody list.

You might read Canadian Tech’s method for clean installing Windows 7 without telemetry (if telemetry is the issue for you): AskWoody #188268 and answers.Microsoft Updating Windows 7 in 2018.

I don’t have any experience with the Simplex Pack, and would have to go through its listed updates manually, to see what type of updating they are using… maybe someone will answer with more experience that can tell you. The link to pastebin just shows a very long list of included updates to have to weed through.

I’ve installed using @Canadian Tech’s method, and it went smoothly, and my Windows 7 has been very stable… and is telemetry free.

My doubt is about how is it possible that Simplex Pack is telemetry free while not using the security-only updates? I checked and all the KB starting with 4 in the AskWoody list are missing. Anyway, I don’t honestly understand this Canadian Tech guy. Why just install security-only updates till May 2017? That makes no sense for me… As for system images, I’ve never used them, and I’d prefer to avoid them if possible. As I said, I can already make a perfectly stable ISO integrating all the security-only updates and then installing the extra ones that I’m prompted to. Of course my real objective would be to know in advance which are the “extra ones” that Windows Update is going to offer me so that I could integrate everything in one shot and not having to install 1 single update.

1 user thanked author for this post.

PK – Sorry to bother again, but I’ve been trying to update the Jan KB4480964 on my W7 and after downloading I get the “message” that this update is not applicable to my computer. I’ve been using the x64 updates for quite sometime, so I’m confused/bemused by this response.

Should I try the x32 version, or is there some other thing (that you may know about) that is currently going on?

1 user thanked author for this post.

I’ve tried a few more times and nothing works. Ive even waited an hour or so for the larger file to arrive. I also swept the floor looking for some kind of eff-up on my part that would have allowed my Win 7 system to to think it was something else. I did not find anything on this unit that should prevent an update from microsloth to become downloaded. Unless, of course that it is W7 and not W8.1

I’m absolutely confused by this; you guys have always come up with an answer, or a work-around when this kind of s**** occurs. If I need to upgrade this PC to W8.1 I’m ready to do that. My wife won’t be, but that’s my problem and not yours.

Well, KB4480964 is for Windows 8.1. You say you have a W7 computer, which I take to mean Windows 7. So I think it’s a good thing you’re getting the message that it (KB4480964) isn’t applicable to your computer.

Edit: If you want the January Security Only patch for Win 7 you want KB4480960.

2 users thanked author for this post.

Roger that DrB. YOU sir, are correct. Anyone needing the Jan 2019 Win7 64-bit update should pay close attention, since it was not available on the “Group B” update site here at Woody’s. Clanking in to Widders own site for updates and (taking time to go fill the wee dram glass) allowed the download for that appropriate 4480960 update to arrive and, subsequently be installed.

PK, I don’t know how else to do this, so I’m asking this question as a reply to an unrelated issue.

And it’s a big ASK.

I have a Windows 7 machine that I haven’t turned on since 2015. It was right in the middle of that mess with Windows Update – it took hours and hours to update Windows 7, if it updated at all. In the midst of that we moved. I boxed that PC up and didn’t unpack it until last weekend. Still haven’t turned it on let alone connected to the web.

I want to resurrect that machine. I’d like it to be Group B – security only updates. I don’t want the spectre and related updates. I also wish to avoid the modern telemetry add-ons. I just want my old Win7 machine up and running securely.

Now to the big ASK! What steps should I take to bring this machine back to life – albeit a mostly secure if not fully updated life? Even if you choose not to respond to this ASK you’ll have my eternal respect as one of Woody’s MVP’s.

This is not the right place to do that. Make a topic under Win7 Patches Forum. I’ll try to put something together in my spare time (ha ha). Name it something like “How to update Win7 that has been offline since 2015” (or something like that).

That post is two years old. There is a more recent one than that, but I need to find it. And that even needs to be updated (for example, we have had two SSUs since). Set up the Topic and give me some time to find the links and get together the changes since.

Just so that you know – KB 4489873(the security-only update for IE11, Windows 8.1, 64 bit March 2019) still does not work well with my Halo Spartan Strike game – missing sound and possibly other problems. I have uninstalled it for normal game-playing. I haven’t noticed any problems with the March 2019 Windows 8.1 64 bit update.

1 user thanked author for this post.

Wow, it is already MAY! (still snowing here, currently 36 degrees outside) only 8 more months of win7…

thanks to the Woody’s wise patch system and all the helping elves, too. all i had were the 2 B patches and MSRT plus the Office 2010 patches on one machine and they came back for more in fine style. i ran DISM and came up with 2 patches from 2014 and 2015 KB3033929 and KB3003743 both of which caused problems for lots of folks when they were originally released. KB3003743 MS14-074 was so troublesome that Woody wrote about it on Infoworld “Microsoft’s Black Tuesday Toll,”

i log most every patch that is removed after monthly patches and am wondering why they were breaking machines when originally released and why are they being removed from SxS 4 or 5 years later? Especially when the OS is soon to be relegated to the pages of history?

Anyway, many more thanks for helping us make through yet another “Black Tuesday!”

1 user thanked author for this post.

just did 3 win7 pro 32 bit, 2 AMD, 1 Intel. got the IE-29.1MB and SO-72.3MB + pci..29.5KB. here then the rest through update chute. Office 2010 had 2, KB44645672.9MB and Outlook KB4464524 12.1MB plus KB890830-May MSRT-6.8MB. threw away the rest of the bad fish. the PciClearStaleCache.exe did not run. the KB4499406-43.2MB .NET (KB4495606 for me) ran cleanup for 13-14 min. after reboots. and as usual did the tasmanian devil fragmentation routine all over my HDD’s. i notice a problem is surfacing (i should have waited a little longer? to patch.) i eagerly await the day my kester will be too far away for microsoft to reach and i will never forget the wasted hours and stressed machines trying to patch because microsoft wanted me to do things their way.

let me see? what constructive things could i do with all the time i will have after my cruel microsoft task master fades into the distant past? humm, i know, i’ll keep pushing the limits of my newfound friend linux…

thanks, PK! wake me up from my post patching glow when i will then have to rip out all of the May 2019 patches because somebody forgot to build them correctly… (again)

It’s because the topic is closed to new comments that the text is different to a normal topic. However, the current site issues have changed how closed topics are displayed, making them a little harder to read currently.

Yet again the file hashes for the cumulative security update for IE11 (KB4498206) do not match the table of hashes here. I know it’s in the filename but it’s a bit disconcerting when there’s a mismatch like that and filenames can easily be changed. Probably give the May update a miss since it’s cumulative anyway.

Attachments:

Yes but that’s the filename, if you look at the table (under ‘File information’) in the link to the cumulative update i posted that hash in the filename doesn’t match any of the SHA1 hashes listed. Nor does SHA256 if you check the file from a command prompt using certutil -hashfile. This happened in january as well and i skipped that update. I’m sure it’s safe but you know, it’s microsoft we’re talking about here and since they are cumulative i’d rather just skip an update. I’m group b by the way.

I apologize if this is another repeat question on the topic, but I have some questions regarding KB4490628 & KB4474419.

I have KB4474419 installed, but not KB4490628. Am I correct in reading PKCano’s post that KB4490628 has to be installed on it’s own? Also is it possible to install it even though I have already installed KB4474419 or does it need to go KB4490628 and then KB4474419?

Yes, KB4490628 (all Servicing Stack updates, as a matter of fact) has to be installed exclusively, ie, by itself. Install it by itself, wait 5 minutes for the install to complete, then reboot your computer.

? say:
just started patching win7 32 bit thanks to woody’s June green lite. already KB4508646 -IE has hijacked my blank tab page and put on a plethora of their self serving (news, weather, sports and so much more) junk… to return to blank second tab had to go into settings and return it to the way I had it. ie-blank page. so I’ll see what else they decided was better for me and report back, the so-called-patchin’ day is still young

changed my accelerators back to enabled (E-mail with windows live, map with Bing, translate with Bing.) turned on Dom storage, turned off pop-up blocker, and mscorsvw.exe was running when i first rebooted from the 2 stand-alone-b patches. i did install the office 2010 2.0 filter pack, what the heck? been at this on the first machine for 1 hour and 45 minutes…

i’ll report back after today’s torture session. by the way my linux machine from which i’m now speaking was automagically FULLY PATCHED (as usual) when i fired it up this morning

oh, yeah i was so excited that the missing pieces of the SO+telem did not blue screen me that i was remiss in mentioning the July IE cumulative patch. i cleaned up after and the DISM did not spit out any old KB’s either. the .Net scrambled up my hdd as usual so i ran defraggler quick style to get it reasonably straight before running Defrag C:\ /h /u /v after reboot. so we will see how this plays out i guess. i do not like skipping the SO but i do not like all the gunk that comes with the appariser since winX in definitly not in my future. 3 hours for 1 machine and i have 3 more to go, maybe tomorrow

@pkcano: I am Win 7, x64, Home Premium, Group A, and I don’t use the IE11. This is not something that can’t recall the last time I updated. Am I “out in left field” on this one? Thank you for any assistance you may have on this issue. Your help is appreciated very much, as always.

@PKCano: I sent a reply to your message about the July IE11, and somehow I was logged out, and the message is probably listed under “anonymous” now (?). If so, my apologies, I don’t know what occurred. 🙁

@PKCano: Thank you so much for the clarification. I’ve had health problems for the past several months, and I can see from the “topic” alone that I am waaaaaaaaaaaaay off base with this one. I’m still in a “recovery” period. Thank you for your patient and guiding assistance. 🙂

MS issues a Preview Rollup each month, usually a week after Patch Tuesday, that is meant for testing of the coming month’s non-security fixes by IT departments and the like. Each time, it is an UNCHECKED OPTIONAL patch and is not meant for general installation/usage.
It contains the patches in the current Rollup (non-security, security, IE11 CU) plus the coming month’s non-security fixes for testing purposes.

i’m wondering how KB3133977 (bit locker fix) will work since i checked the “NO SYSTEM RESERVED,” box when i installed Windows 7 (trust their encryption?), and KB4474419 v2 the second SHA-2 patch will figure in the mix?

and please explain why all the feverish interest in patching Windows 7 since it is laying in the trench waiting for the final dirt to be applied?

so, it looks like August “B” style patching (or any patching for that matter) will be verrrry interesting…

The Rollups have the KB2952664 functionality PLUS diagtrack service and WMI autologger which are part of CompatTelRunner.exe operations.

It is easier to follow Group A patching. Group B is getting more complex as time goes on.
You should go ahead and install one of the July patches because there are other security fixes beside the included telemetry.

Either way, you can neutralize the telemetry by following the instruction in @abbodi86 ‘s AKB2000012.

I was in Group A before October 2018. My system should have diagtrack service and WMI autologger already. Both Group A and B have Compatibility Appraiser now, so I would switch to Group A. Thank you for clarifying.

patched 1 win7 pro 32bit BIOS boot dual core: no KB3133977, had KB4490628 (inst. 04/02/2019) updated (standalone) KB4474419 to August v2, took 1 minute to install then rebooted back to desktop and then updated MSE to see if it fixed the recent patching errors (failures) and it did. next up was (standalone) KB4511872-August IE (rebooted normally) 2 minutes from shutdown back to desktop. waited 12 minutes for Trusted Installer to finish then installed KB4512486-August SO (standalone) took 1 minute to install, rebooted with several pauses before getting back to the desktop (4 minutes) and while waiting for trusted installer updated MSE with no errors. next started scanning wu for updates (ran for 4 minutes) and produced 2 Important checked patches: KB4512506-August rollup and August MSRT (7.5MB) plus 3 unchecked Optional updates: KB4512514 2019-08 Preview Rollup (183.6MB), KB4512193 2019-08 .Net Preview, and KB4503548 2019-08-.Net v4.8. hid everything except the KB890830 August MSRT (3 minutes to install). rechecked for additional updates (1 minute) with no extras. locked down wu and checked Task Scheduler for additional tasks (none) and no new Services either/or disabled/re-enabled. CBS.log grew from essentially empty to 63,509kB which will be emptied along with Software Distribution\Download folder during the next after patching clean-up. i also checked to see if any of the missing kb’s from the July SO i skipped (see 1912254 above) were patched but no joy, maybe next time?

installed KB890830-August MSRT (7.5MB) on all machines as usual (heartbeat is disabled).

the only weirdness was the way KB4511872 and\or KB4517297 installs. it took 5-6 minutes and configured thusly: reboot from desktop to finish install>starting>black screen>please wait>prepairing to configure>configuring>shutting down>rebooting>starting windows>please wait>welcome>back up to desktop. only 4 more months of patching ordeals until Christmas…

In Step B5 “Get Rid of Problematic Updates”, it says that if you have no intention of updating to Windows 10 in the near future, look for KB3150513 and uncheck the box. Should you modify Step B5 to mention that we should also look for KB4493132 and uncheck that box also? Woody discussed KB4493132 in his ComputerWorld article of December 5, 2019 as being a “Get Windows 10” nag patch for which we should uncheck the box.

While I mourn the passing of free updates for Windows 7, I am transitioning to two computers running W8.1. Thanks to PKCano for helping me be a “Group B” member in the past and hopefully the next 3 years!

I have the same question as “Skunk1966” posted several days ago (post #2038089) that hasn’t been addressed by anyone yet. This thread jumps from September 8th to December 9th showing no posts during a 3 month time period! Are posts from this time frame available someplace else?

I need to update two computers in Group B from August 2019 thru January 2020 and for some strange reason the exact time period I need info for is missing here. I seem to remember at least one SSU needs to be installed during this time frame and I’m seeking help getting the proper installation order for SO Updates from August 2019 thru January 2020 along with exactly when to install any SSU that’s required.

1 user thanked author for this post.

Yes, I realize this is a DISCUSSION of the patch list and that’s exactly what I’m looking for, I already have all of the SO update files downloaded.

I distinctly remember discussions between October & December about installing at least one SSU before installing particular SO Updates on Win 7 and that’s what I’m trying to find out. The list of updates doesn’t show any prerequisites required after September but I seem to remember at least one SSU released after KB4516655.

I normally stay on top of all this Group B stuff but due to unforeseen circumstances that I won’t go into I’ve gotten several months behind. If you scroll through this entire thread looking at the post dates don’t you find it a bit odd that nobody discussed anything at all here during an entire 3 month period?

I’ve seen a TON of Group-B patching discussion during that timeframe, but most of it was tacked-on to other discussion topics, or was part of the typical “These new patches were released today” sort of topics that usually started by Woody or one of the MVPs.

You’ll probably have to go searching to find the info you’re looking for.

@PKCano…
I know the SSU FILES aren’t provided here but if an SSU is required before installing a SO Update it’s normally shown as a prerequisite in the list of update links. I’m not seeing ANY SSU required in the links after KB4516655 in September… but I seem to recall discussions about installing particular SSU files either before or after particular SO updates AFTER September.

The last SSU I installed was KB4516655 in September… do I need to install any others before attempting to install all of the SO Updates posted in the list from September thru January?

If you look at the MS Support page for the SO, down toward the bottem the SSU is usually listed (on the CU Support page as well).

If you run Windows Update and install the Rollup, the SSU is served up last. THis is what happens to the unwashed masses on Automatic. I always use this for my installs and I have had no problems (8 Win7 every month plus those I support) in spite of what MS publishes. On the other hand, many of the posters have installed the SSU first.

There has been discussions about this among Group B as well. And it has been done both ways with the same results. If you search for the SO’s KB number on the site you will see the discussions.

FYI: The installs the last couple of months have been taking longer than usual, and some have experienced two boots.

PK: Will the Windows 7 portion of the Ongoing List of Updates end with the January 2020 updates? And will there be any reason for those of us with Windows 7 to look at AKB 2000003 any more (especially those such as myself who have or are planning to get a license for Extended Security Updates)? I note that there was a comment by abbodi86 back in December which said “December Security Only KB4530692 include ExtendedSecurityUpdatesAI placeholder manifest. This probably indicate ESUs will continue with dual Rollup/SO model.” I’m not sure I understand what he’s saying there because I’m not an expert, but if what he’s saying actually occurs, it makes me wonder if I would need to switch from SO updates to rollups if I get an ESU license.

The only reason you would need what is currently on the list (as of Jan 14, 2020) is if you had a problem and had to reinstall the OS.
I don’t know if MS will continue with the Rollup/SO model or it will be Rollups only. I suspect they will not be making improvements to Win7 and the patches will, for all practical purposes, be security-only in nature, even if they split OS and IE11 updates. But I’m just guessing.

If there is still any prupose to the Group A/Group B patching, we may continue to add the latter to AKB2000003, But if there is only one patch, delivered through WU, I don’t see the justification.

1 user thanked author for this post.

1. My understanding is that in order to be eligible for the ESU, I will need to switch from Group B to Group A, and install monthly rollups from this point forward. Is that correct?

2, If so, what is the procedure for doing this? Do I simply install the February rollup when Woody gives the go-ahead for February? Or is there something else I need to do?

3. Also, I remember reading on this website where you advised a member to install the October 2019 rollup, but I can’t remember where I saw that. So is that true that I would need to start with the October rollup?

1. My understanding is that in order to be eligible for the ESU, I will need to switch from Group B to Group A, and install monthly rollups from this point forward. Is that correct?

As I understand it, you have to install the Oct 2019 Rollup at least, and there are some other patch requirements. There are several threads in which Susan Bradley and Amy discuss the requirements, Try searching for “ESU.”
Here’s a start:

PK: Thanks for your response. However, my research indicates that Microsoft issued an update posting on February 3, 2020 that says you can substitute any of the “security-only” updates from Nov 2019 – Jan 2020 instead of the Oct 2019 monthly rollup. So I’m planning on skipping the October 2019 rollup because as a member of “Group B”, I’ve already installed the “security-only” updates from Nov 2019 – Jan 2020 . I’ve posted more details on this in Susan Bradley’s article “Got Questions about ESU patches? We got Answers “ (see Post #2153353 dated February 19, 2020). If you think I’m wrong about this, please correct me, because I’m just a novice at this stuff.

My two cents or even less: Yes, people applied as recommended (after) and (implicitly) not recommended (before) and, if memory serves, not much was heard of “I tried this way, and it was bad”, and a lot of “I tried this way and it was good.” So doing it either way seems to have worked just equally fine, but.

But better make that “as far as anyone has noticed”. Not only because, from a strictly scientific point of view this is the correct caution to give, in more or less those words — always, but because the fact that installing the update in the ‘non-recommended’ order (before the SO patch for us B Groupers) might break something that is not immediately obvious, or even that soon becomes obvious. Sometimes these things take take time and, by the time one notices that the HD is starting to make funny noises, it might already be too late.

In my very uneducated and confused opinion, if at MS they thought that “after” should be the order of installation, maybe they also had one reason and even more than one for advising us to do it this way. Just saying.

NB: And I installed the SSU, as recommended by MS, after the SO and also after creating a restore point just meant for it, in case that did not work. The result was good and still is — so far.

I’m trying to update a pretty old Windows 7 x64 machine with a large backlog of updates. I was doing just the Security Only updates. But when I got to the 2018-11 Security Only Quality Update for Windows 7 for x64-based Systems (KB4467106), I had the same problem (in Feb 2020) as what SueW, twbartender, and Ed described back in 2018. The file is supposed to be 36.6 MB, but what gets downloaded is exactly 8 MB. I tried numerous times over several days, and the file size was consistently 8,192 KB. Are there any alternative (and trustworthy!) places to download this update file?

I’m asking whether there’s any reason to remain in Group B because, if there’s no point in doing the Security Only updates anymore, then I don’t have to worry about downloading the problematic 2018-11 Security Only Quality Update, and I can simply use the 2020-01 Security Monthly Quality Rollup, which is cumulative, plus abbodi86’s script.

1 user thanked author for this post.

Group B people will loudly disagree with this, but IMHO there is no point to Group B anymore. The original purpose was to eliminate telemetry, but in avoiding it in Group B means you are also avoiding important security updates as well.

I started with Group B but long ago switched to Group A. I run @abbodi86 ‘s script as a Scheduled Task at startup, and it has worked well. The instructions are in AKB2000012.

2 users thanked author for this post.

The aspect of Group B that made the most sense to me was to avoid the nonsense of what the rollups contain.

Security only updates was what made me choose that direction.

Telemetry never entered the equation as the guiding motive for me. Checking The task scheduler settings that abbodi86 mentions in 2000012 only became necessary for me because the compatability appraiser update contained in KB4516064 from Sep.2019 was an accidental install. I meant to avoid it.

This laptop that has Win 8.1 will be ridden into the sunset avoiding rollups or until another method reveals itself as more efficient. My next machine might have Win 10 on it but it will be dual boot to Linux & Win 10 may never get updated. Time will tell for sure on that ‘cus I’m in no hurry.

Meanwhile, AskWoody continues to broaden my horizons as a helpful place to visit. Eight Semper Fi.

Win 8.1 Group B, Linux Dabbler

1 user thanked author for this post.

So, wanted to thank you guys for keeping the 2000003 topic going, i’ve followed it for years and have purchased the newest computers that can run 8.1 in the past based on this topic/made serious decisions as to computers going forward – (and yes, I get to deal with the stupidity of MS attempting to disable Kaby Lake and Intel HD Graphics- fortunately I was able to tweak them back and retain full functionality. I intend to stay with 8.1 to the ned (I do have a copy of 10 that I almost never use that i am setting up for some gaming only and I won’t put anything else there, but it can’t touch me as it’s on a separate partition on my computer and 8.1 is locked down FDE style via Veracrypt and has most of the space so 10 is “locked in a corner”

Anyway
I am currently bringing up my daily driver to up to date- and currently am up to Sept 2019’s updates and counting. (Manually downloaded all updates, am installing them one by one- I don’t care what it takes to bring this computer up to speed though i wish this was automated… or there was a program that let you select updates and add only those ones.)

I’ve done stuff like disabled scheduled tasks, etc as pointed out in other topics – As I start to get past the end of 2019 and into 2020. I see comments that Group B isn’t worth it anymore -but this makes no sense and I’m thinking that is referencing Windows 7?

I’m not seeing anything in 8.1 that’s a security update that contains telemetry that you can’t tweak – so Group B lives on for now – Seems to me, for 8.1, Group B is still chugging…?

Anyway, after going back and forth about this, I don’t understand the IE patches?
Am I okay just manually grabbing them all then applying them in? I don’t use IE, but will grab the patches anyway….(or maybe uninstall them all later)
(I’ll as a fun project look into gutting IE of as much telemetry as possible, I’ll spin it up in a Virtual Box…)

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.